public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat.
@ 2021-06-09 22:25 goldstein.w.n at gmail dot com
  2021-06-09 22:25 ` [Bug string/27974] " goldstein.w.n at gmail dot com
                   ` (9 more replies)
  0 siblings, 10 replies; 11+ messages in thread
From: goldstein.w.n at gmail dot com @ 2021-06-09 22:25 UTC (permalink / raw)
  To: glibc-bugs

https://sourceware.org/bugzilla/show_bug.cgi?id=27974

            Bug ID: 27974
           Summary: Overflow bug in some implementation of of wcsnlen,
                    wmemchr, and wcsncat.
           Product: glibc
           Version: 2.34
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: goldstein.w.n at gmail dot com
  Target Milestone: ---

The bug is that some implementations assume that maxlen or n from wcsnlen and
wmemchr/wcsncat times sizeof(wchar_t) will not overflow.

It appears, however that there is no defined limit on maxlen * sizeof(wchar_t)
https://marc.info/?l=glibc-alpha&m=162323134028410&w=2

This bug would found in the following x86_64 implementations of wcsnlen and
wmemchr.

wcsnlen-sse4_1 ->
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/strlen.S;h=d223ea1700a7d0cb0dcf9c8f251f09d5b9eea91e;hb=HEAD#l68

wcsnlen-avx2 ->
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/strlen-avx2.S;h=bd2e6ee44a8ae113dfdb0de8bc6fc1b405d7ef28;hb=HEAD#l57

wmemchr-sse2 ->
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/memchr.S;h=beff2708de6a1e40de4141f94ff6fe763f041164;hb=HEAD#l39

wmemchr-avx2 ->
https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/x86_64/multiarch/memchr-avx2.S;h=0d8758e3e7190fbe54243312b7ecc2952e85465a;hb=HEAD#l66
This bug will also be present in wcsncat which uses wcsnlen:

https://sourceware.org/git/?p=glibc.git;a=blob;f=wcsmbs/wcsncat.c;h=27de72af6c7733fe0e27661874b64d57659b5ed9;hb=HEAD#l34





For example with a string of length 1000 the following cases would highlight
the bug:

wmemchr(string_length_1000, 0, (2^62) + 1) // would return NULL rather than s +
1000
wcsnlen(string_length_1000, (2^62) + 1) // would return 1 rather than 1000 
wcsncat(s2, string_length_1000, (2^62) + 1) // would only copy 1 wide char

-- 
You are receiving this mail because:
You are on the CC list for the bug.

^ permalink raw reply	[flat|nested] 11+ messages in thread
end of thread, other threads:[~2022-01-28  2:23 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-09 22:25 [Bug string/27974] New: Overflow bug in some implementation of of wcsnlen, wmemchr, and wcsncat goldstein.w.n at gmail dot com
2021-06-09 22:25 ` [Bug string/27974] " goldstein.w.n at gmail dot com
2021-06-23 18:29 ` goldstein.w.n at gmail dot com
2022-01-27 21:11 ` [Bug string/27974] Overflow bug in some implementation " hjl.tools at gmail dot com
2022-01-27 22:40 ` cvs-commit at gcc dot gnu.org
2022-01-27 23:19 ` cvs-commit at gcc dot gnu.org
2022-01-28  0:24 ` cvs-commit at gcc dot gnu.org
2022-01-28  0:40 ` cvs-commit at gcc dot gnu.org
2022-01-28  2:21 ` cvs-commit at gcc dot gnu.org
2022-01-28  2:22 ` cvs-commit at gcc dot gnu.org
2022-01-28  2:23 ` hjl.tools at gmail dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).